Improper Access Control Vulnerability in Mintplex-Labs Anything-LLM Application
CVE-2024-3279

9.1CRITICAL

Key Information:

Vendor

Mintplex-labs

Status
Mintplex-labs/anything-llm
Vendor
CVE Published:
12 August 2024

What is CVE-2024-3279?

An improper access control vulnerability has been identified in the Anything-LLM application developed by Mintplex Labs. This vulnerability is found specifically in the import endpoint, where an unauthorized user can exploit the system. By bypassing authentication, an attacker can import a malicious database file that can delete or corrupt the existing 'anythingllm.db' file. This manipulation not only jeopardizes the integrity of the affected database but also allows attackers to serve harmful data or gather sensitive user information. The root cause of this vulnerability lies in the application's inadequate restrictions on import functionality, highlighting a critical security oversight.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/303c5145-2c14-4945-914a-936be7...
https://github.com/mintplex-labs/anything-llm/commit/08d3...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.